studio/docs
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🛂(back) restrict ask for access to root documents

Browse Source 
In a first version we want to restrict the ask for access feature only
to root document. We will work on opening to all documents when iherited
permissions will be implemented.
This commit is contained in:
Manuel Raynaud
2025-07-08 10:58:48 +02:00
committed by Anthony LC
parent 82f2cb59e6
commit 95838e332c
2 changed files with 117 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/backend/core/api/viewsets.py
View File

@@ -1910,7 +1910,8 @@ class DocumentAskForAccessViewSet(
if self._document is None:
try:
self._document = models.Document.objects.get(
pk=self.kwargs["resource_id"]
pk=self.kwargs["resource_id"],
depth=1,
)
except models.Document.DoesNotExist as e:
raise drf.exceptions.NotFound("Document not found.") from e

116
src/backend/core/tests/documents/test_api_documents_ask_for_access.py
View File

@@ -97,6 +97,23 @@ def test_api_documents_ask_for_access_create_authenticated():
assert document.title.lower() in email_subject.lower()
def test_api_documents_ask_for_access_create_authenticated_non_root_document():
"""
Authenticated users should not be able to create a document ask for access on a non-root
document.
"""
parent = DocumentFactory()
child = DocumentFactory(parent=parent)
user = UserFactory()
client = APIClient()
client.force_login(user)
response = client.post(f"/api/v1.0/documents/{child.id}/ask-for-access/")
assert response.status_code == 404
def test_api_documents_ask_for_access_create_authenticated_specific_role():
"""
Authenticated users should be able to create a document ask for access with a specific role.
@@ -196,6 +213,20 @@ def test_api_documents_ask_for_access_list_authenticated():
}
def test_api_documents_ask_for_access_list_authenticated_non_root_document():
"""
Authenticated users should not be able to list document ask for access on a non-root document.
"""
parent = DocumentFactory()
child = DocumentFactory(parent=parent)
client = APIClient()
client.force_login(UserFactory())
response = client.get(f"/api/v1.0/documents/{child.id}/ask-for-access/")
assert response.status_code == 404
def test_api_documents_ask_for_access_list_authenticated_own_request():
"""Authenticated users should be able to list their own document ask for access."""
document = DocumentFactory()
@@ -289,7 +320,7 @@ def test_api_documents_ask_for_access_list_non_owner_or_admin(role):
}
@pytest.mark.parametrize("role", [RoleChoices.OWNER])
@pytest.mark.parametrize("role", [RoleChoices.OWNER, RoleChoices.ADMIN])
def test_api_documents_ask_for_access_list_owner_or_admin(role):
"""Owner or admin users should be able to list document ask for access."""
user = UserFactory()
@@ -329,6 +360,23 @@ def test_api_documents_ask_for_access_list_owner_or_admin(role):
}
@pytest.mark.parametrize("role", [RoleChoices.OWNER, RoleChoices.ADMIN])
def test_api_documents_ask_for_access_list_admin_non_root_document(role):
"""
Authenticated users should not be able to list document ask for access on a non-root document.
"""
user = UserFactory()
parent = DocumentFactory(users=[(user, role)])
child = DocumentFactory(parent=parent, users=[(user, role)])
DocumentAskForAccessFactory.create_batch(3, document=child, role=RoleChoices.READER)
client = APIClient()
client.force_login(user)
response = client.get(f"/api/v1.0/documents/{child.id}/ask-for-access/")
assert response.status_code == 404
## Retrieve
@@ -415,6 +463,28 @@ def test_api_documents_ask_for_access_retrieve_owner_or_admin(role):
}
@pytest.mark.parametrize("role", [RoleChoices.OWNER, RoleChoices.ADMIN])
def test_api_documents_ask_for_access_retrieve_authenticated_non_root_document(role):
"""
Authenticated users should not be able to retrieve document ask for access on a non-root
document.
"""
user = UserFactory()
parent = DocumentFactory(users=[(user, role)])
child = DocumentFactory(parent=parent, users=[(user, role)])
document_ask_for_access = DocumentAskForAccessFactory(
document=child, role=RoleChoices.READER
)
client = APIClient()
client.force_login(user)
response = client.get(
f"/api/v1.0/documents/{child.id}/ask-for-access/{document_ask_for_access.id}/"
)
assert response.status_code == 404
## Delete
@@ -487,6 +557,28 @@ def test_api_documents_ask_for_access_delete_owner_or_admin(role):
).exists()
@pytest.mark.parametrize("role", [RoleChoices.OWNER, RoleChoices.ADMIN])
def test_api_documents_ask_for_access_delete_authenticated_non_root_document(role):
"""
Authenticated users should not be able to delete document ask for access on a non-root
document.
"""
user = UserFactory()
parent = DocumentFactory(users=[(user, role)])
child = DocumentFactory(parent=parent, users=[(user, role)])
document_ask_for_access = DocumentAskForAccessFactory(
document=child, role=RoleChoices.READER
)
client = APIClient()
client.force_login(user)
response = client.delete(
f"/api/v1.0/documents/{child.id}/ask-for-access/{document_ask_for_access.id}/"
)
assert response.status_code == 404
## Accept
@@ -654,3 +746,25 @@ def test_api_documents_ask_for_access_accept_authenticated_owner_or_admin_update
).exists()
document_access.refresh_from_db()
assert document_access.role == RoleChoices.ADMIN
@pytest.mark.parametrize("role", [RoleChoices.OWNER, RoleChoices.ADMIN])
def test_api_documents_ask_for_access_accept_authenticated_non_root_document(role):
"""
Authenticated users should not be able to accept document ask for access on a non-root
document.
"""
user = UserFactory()
parent = DocumentFactory(users=[(user, role)])
child = DocumentFactory(parent=parent, users=[(user, role)])
document_ask_for_access = DocumentAskForAccessFactory(
document=child, role=RoleChoices.READER
)
client = APIClient()
client.force_login(user)
response = client.post(
f"/api/v1.0/documents/{child.id}/ask-for-access/{document_ask_for_access.id}/accept/"
)
assert response.status_code == 404